Spotify’s new Messaging feature can doxx you

spotify-age-verification-checks — Image by Cybernews

Spotify users are shocked to discover that their identities are being exposed across the internet whenever they share a song.

Spotify announced a new feature last week – direct messaging – that was supposed to make music sharing easier. However, it all got out of control as Redditors started to notice weird things.

A Redditor who tested the new direct messaging tool noticed that the app automatically suggested “friends” based on past link sharing. Most names were familiar, but a few weren’t. This made users realize that Spotify had connected their account to people they’d only interacted with anonymously on Discord while playing games and sharing music.

“I’ve always kept Discord anonymous, and Spotify has never been a “social” app for me,” the Redditor wrote, terrified.

“But now it seems that anyone I’ve sent a Spotify link to, if they also have an account, can potentially find me, which means they could discover my full name and other account info.”

Spotify received more backlash as frustrated users seem unable to find a way to opt out of this new feature. Other platforms, such as YouTube, allow users to generate sharing links without tying them to their identity. The problem with Spotify is that users have no other choice but to expose their identity if they want to share a song.

“That's craaaaaaazzzzzzyyyyyyyy okay I hid everything and hoping for the best. What in the world, Spotify?!?!” one Redditor commented.

“This is really dumb. I knew this feature was going to screw something up... I really just want to listen to music, Spotify,” raged another.

Internet users have pointed out that tracking comes with the share link. Every single time a Spotify user shares a song from within Spotify, it generates a unique tracking URL linked to the account. This allows Spotify to connect users with anyone else who uses that same link. Spotify users should be vigilant of “?si=” and 16 characters at the end of every link.

Users say the app has already backfilled chat histories, pulling in years of past song shares, even ones originally sent over WhatsApp or other platforms. This means Spotify has been tracking those unique link identifiers all along, quietly mapping connections between accounts.

“This is a lawsuit waiting to happen,”
Redditors complained, blaming Spotify for doxxing users.

The fear is simple: the connections that Spotify is making can unmask people who deliberately keep their online identities separate.

One Redditor pointed out how a single slip could expose them.

“Had a real selfie on my Spotify account, and I have real-life friends following me on Spotify, so if my account shows up in suggestions to random people, they can easily doxx me from that.”

Others are already taking countermeasures, such as removing profile pictures, hiding followers, and tweaking display names. Another user warned, “Yeah, all you can do is hide everything, remove photos, and change your name. But unfortunately (as has been the case for years already, I believe), you still can not change your actual user name.”

And it’s not just old links fueling the concern. Spotify’s “Jam” sessions are also being tracked.

“I've also contacted Spotify already about this because it's not only the links you've shared but also any Jam you've participated in,” said one commenter.

Cybernews has reached out to Spotify for a comment, but a response is yet to be received.

Cybernews advises hiding personal information on Spotify

The Cybernews research team looked at the situation and admitted that user privacy might be at risk.

“It’s clear that privacy wasn't a priority when developing this feature, meaning users who want to remain private, while sharing songs, should take proactive actions,” the team stated.

Our researchers advised users to disable the messaging feature in the app's settings and change their Spotify username to match their usual alias, or create a new one.

“There’s no reason to have your Spotify account with your full name publicly visible,”
they said.

Is it an industry standard to doxx users?

Spotify isn’t the first platform accused of accidentally exposing users’ identities through something as simple as a shared link, with Redditors suggesting that it’s kind of an industry standard.

As one commenter pointed out, “TikTok and Instagram do this too – I’ve seen people accidentally doxx themselves by sharing links on Reddit as well. E.g., along the lines of ‘Alex shared this link with you! Click here to follow him.’”

For some, the situation points to a broader pattern of apps quietly erasing anonymity.

“All of these fucking apps are trying to doxx us,”
one Redditor vented.

Don’t miss our latest stories on Google News.

“I’ve had this issue with TikTok and Instagram and most recently Substack… Glad I only share links with people on Discord that know me IRL. This shit pisses me off to no end.”

Big tech companies have been under fire lately for failing to protect users’ privacy. Last month, Meta released its Instagram Maps feature, which also received heavy backlash for exposing user locations.

OpenAI was also caught in a scandal the same month, after an internet user found ChatGPT conversations indexed on Google.